On 09/18/2015 01:38 PM, Thomas Goirand wrote: > Package: release.debian.org > Severity: normal > Tags: jessie > User: release.debian....@packages.debian.org > Usertags: pu > > Dear Stable release team, > > I'd like to upload an update of Swift through s-p-u, in order to fix a > number of issues listed below: > - User creation was done in a non-OpenStack package standard way, namely > missing the --disabled-login option. > - On removal, the package was calling userdel, which I consider dangerous > (potential reuse of the UUID). > - On purge, /var/cache/swift wasn't removed. > - The swift-container-sync init script wasn't installed. > > More importantly, there's 2 CVEs which needs to be fixed: > - CVE-2015-1856 & OSSA 2015-006: Unauthorized delete of versioned Swift > object. > - CVE-2015-5223: Information leak via Swift tempurls. > > The above CVEs were considered not critical enough by the security team > to deserve a DSA, though they still deserve fixing. > > I have attached a debdiff with all of the above problems corrected. The > pre-built package is also available here: > http://sid.gplhost.com/jessie-proposed-updates/swift/ > > Please allow me to upload swift/2.2.0-1+deb8u1 to jessie-proposed-updates. > > Cheers, > > Thomas Goirand (zigo)
Gentle ping?
